Anti-Microsoft security report mired in politics

WASHINGTON (09/26/2003) - A report that might have been a valuable contribution to the study of the security ramifications of monolithic IT infrastructures has instead become a pawn in the unending political battle between pro- and anti-Microsoft factions. And it has cost one of the co-authors his job.

The controversy stems from a report released Sept. 24 by seven self-proclaimed independent researchers from the IT security industry that harshly criticized Microsoft Corp.'s monopoly hold on the software industry. That hold is a fundamental cause of security problems that now confront the global Internet community, the report contends.

The day after the report's release, co-author Dan Geer was fired from his job as chief technology officer at Cambridge, Mass.-based @stake Inc., a security company that derives a hefty percentage of its income from Microsoft. Moreover, the firing was made retroactive to Sept. 23 so that @stake could further distance itself from Geer and the report, sources close to the situation said.

An @stake official, who spoke on condition of anonymity, confirmed that Geer was fired and said that as a corporate officer he should have known that Microsoft was a client of the company. "It's not a matter of the content of the report; it's a matter of ethics and respect for clients," the official said.

Geer couldn't be reached for comment on Friday.

Chris Wysopal, @stake's director of research, said the company had no argument with the report's basic premise that technological diversity poses less of a security risk than monolithic architectures. "But the way the report is positioned and a lot of its conclusions are things we don't agree with. The report is a bit one-sided," he said.

In any case, the firing didn't go down well with other authors of the report.

"Its very sad that @stake fired him for this," said Bruce Schneier, a co-author and founder of Cupertino, Calif., security consultancy Counterpane Internet Security Inc. "We as security researchers regularly speak, write and do reports that express our professional opinions. We assume that companies hire us for our integrity and honesty."

The authors of the report "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security" may have actually undermined their independence by teaming with the Computer & Communications Industry Association.

The CCIA is a Washington-based industry group whose members include direct Microsoft competitors such as Sun Microsystems Inc. and Oracle Corp., and it has supported the U.S. and European investigations into what the group has called "Microsoft's competitive abuses." The CCIA not only published and publicized the report on behalf of the researchers, but it also provided a written introduction to the document.

When asked during a teleconference on Sept. 24 about who or what organizations funded the study, Geer, whose firing had not yet been announced, said it was a "personal initiative" by the seven authors that wasn't funded by the CCIA or any third party.

Edward Black, president and CEO of the CCIA, said his organization had no role in developing the content of the report. "These guys did this on their own, and they contacted us because our expertise is in the policy area, and we had the infrastructure to publicize the report in Washington," he said.

"We didn't write the report for CCIA," said Perry Metzger, an independent security consultant and a report co-author.

"All of us are computer security people, not politicians," he said, responding to questions about the appearance of partisanship stemming from the group's relationship with the CCIA. "People should try to make up their own minds about whether or not we're right."

Complex Connections

However, users might have a hard time deciphering exactly who the honest broker is in this case. Washington-based Americans for Technology Leadership (ATL) was quick to issue a statement lashing out at the report, calling it a "shameless" campaign by the CCIA to "line the pockets of a handful of large companies."

But ATL's position may have been undermined by the fact that Microsoft is one of the 10 founding members of the organization, which is focused on limiting government regulation of technology.

"Enterprises need to realize that if they haven't heard of an organization that produces a study, it is probably funded by a vendor or other partisan entity," said John Pescatore, an analyst at Gartner Inc.

But in this case, users have found themselves caught in the crossfire with no concrete recommendations from either side. In fact, rather than offering solutions to the problems, the report simply lays blame on a lack of government policy and on senior executives at user companies who insist on purchasing only Microsoft software because of its ease of use and compatibility.

"The blame falls mostly on the buyers, because the sellers are going to sell what the buyers want," said Schneier, who also denied that the CCIA had any influence on the report.

Geer, meanwhile, likened some corporate executives to drug addicts when it comes to their dependence on Microsoft. "Heroin addicts shouldn't buy (heroin)," he said.

Steve McDowell, CIO at Holiday Retirement Corp. in Salem, Ore., cautioned that some of the blame is being misplaced. "I would agree that Microsoft's dominance creates a single target for all the hackers and other criminally minded people to concentrate on," he said. "But I don't think the blame is anyone's but the people perpetrating these crimes." And requiring large companies to deploy multiple operating systems throughout their enterprises is simply a recipe for higher costs and more complexity, he said.

"In our industry, we like standards, because we know that leads to lower costs," said Joe Puglisi, CIO at Emcor Group Inc., a construction and facilities management company in Norwalk, Conn. "If several companies each have to enhance and maintain (a different) operating system, we are likely to see more of a quiltwork of features and pay a higher price for them."

More diversity would also require "an arsenal of tools" to move data around, Puglisi added.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.